Four Major role or entities of GDPR

 

Data subject

A person who can be directly or indirectly recognized by an identifier, such as a name, an ID number, location information, or characteristics related to their medical, physiological, genetic, mental, economic, cultural, or social identity, is referred to as a "data subject."

In other terms, a data subject is any individual who is still alive whose personal information may be obtained and used.

Data subjects have a number of rights under the General Data Protection Regulation (GDPR), including the right to access their personal information, the right to have inaccurate information corrected, and the right to be forgotten.

Some examples of instances of data subjects are:

Staff members of the business

Supplier to the business

Clients of a physician

pupils in a school

Data controller

A person or organization that chooses the objectives and tools for processing personal data is known as a data controller. To put it another way, the data controller determines what information is gathered, how it is utilized, and how long it is kept on file.

Data controllers can be public or private organizations, and they can be large or small. Some examples of data controllers include:

·         Public institutions that gather residents' personal information

·         Healthcare organizations that gather patient information

·         Institutions that collect data about students

·         Social media sites that gather user information

 

In accordance with General Data Protection Regulation legislation, data controllers have a variety of obligations, including:

·         Getting the subject's consent before collecting and using their personal information.

·         Clearly explaining to users how their data is used

·         Providing data subject with the ability to view and manage their data

·         Taking measures to protect their data's security

Data Processors

An entity that handles personal data processing on behalf of a data controller is known as a data processor. In other words, the data processor does not control the types of data that are gathered, how they are used, or how long they are stored. The data processor merely executes the data controller's commands.

Data processors can be public or private organizations, and they can be large or small. Some examples of data processors include:

·         SaaS providers

·         Cloud computing providers

·         IT service providers

·         Marketing agencies

·         Credit card processors

·         Payment processors

Data processors have a number of responsibilities under data protection laws, such as:

·         Processing personal information only as directed by the data controller

·         Protecting the privacy and security of personal data

·         Ensuring that the rights of data subjects are upheld

·         Working cooperatively with the data controller to address inquiries from data subjects

Data protection officer

The person in charge of ensuring that an organization complies with data protection rules is known as a data protection officer (DPO). The DPO serves as an independent and neutral advisor to the management of the organization on all matters pertaining to data protection.

The DPO's responsibility is to make sure the company complies with all relevant data protection laws and rules. This comprises:

·         advising the organization on its policies and practices regarding data protection

·         the organization's data processing activities are being watched to guarantee compliance.

·         carrying out data protection impact analyses (DPIAs)

·         addressing requests from data subjects

·         collaborating with authorities in data protection

GDPR in General

GDPR is a very important aspect for product companies who is providing a SaaS solution for EU. GDPR will provide more control to data subjects (All EU citizens) over their personal data. This will provide a more rights to data subject which includes.

·         Rights to access their personal data.

·         Rights to erase their personal data.

·         Rights to object to the processing of personal data

It provides a more guidelines for data controllers and data processors for handling personal data.

Product companies needs to have a proper understanding of data controllers responsibilities, so that they can covert those responsibilities to control through application and an top of it they have to adhere data processor rules while handing personal data.

Stop automatic security updates while the AWS EC2 instance is launching

We recently had a bad experience with automatic security updates. Our application is hosted in the AWS environment, and our instances are auto-scaled based on usage. We unexpectedly encountered a production problem, and after more investigation, we discovered that newly scaled instances were to blame. Further investigation revealed that it was caused by a security upgrade that took place just before the start of the instance. We made the decision to halt the security batch update until the code was fixed because it is a production environment.

Any user space security upgrades that are rated critical or vital are installed during the initial boot of the Amazon Linux AMI from the package repositories before services like SSH begin.

The methods we took to halt the security update at the initial boot are listed below.

Step 1: SSH to the EC2 and change the root user.

Step 2: Open the cloud.cfg file to update

                vi /etc/cloud/cloud.cfg

Step 3: Change the repo_upgrade property; by default, it will be

                repo_upgrade: security Change it to repo_upgrade: none.

Step 4: Roll back the problematic update

yum update undo <<transaction id>>

Step 5: Create an AMI using this instance.

Step 6: Update the launch template using the created AMI.

Step 6: Update the auto scalling group to use the most recent version of the launch template.

 

The following URL was helpful for us to achieve this:

https://aws.amazon.com/amazon-linux-ami/faqs/#:~:text=To%20disable%20the%20security%20update%20on%20boot%20when%20rebundling%20the,%3A%20security%20to%20repo_upgrade%3A%20none

How to use Draw.io to make a diagram with an animating arrow

 As an architect, I drew my architecture diagrams primarily using draw.io. In this article, I'll discuss my experience using the free draw.io application to create animated arrow gif diagrams.

Step 1: Draw a diagram for whatever you need.

Step 2: Select only connectors.

Step 3: A property pane appears in the right-hand style panel once all of the connectors have been selected. Choose flow animation from the property list.

 Following that, the diagram shows an animated arrow.

This diagram with the animated arrow cannot be downloaded. As Diagram does not allow options for direct GIF download.

The animated diagram can be obtained in a variety of indirect ways, but I'll discuss the methods I took on a Windows machine.

I captured the screen using a snipping tool and converted MP4 to GIF using cloudconvert.com.

Step 1: launch the snipping tool

Step 2: In the snipping tool, select the record option and then select new.

Step 3: Select the diagram you want to record. A few seconds snippet is enough.

Step 4: Save that screen recording in MP4 format.

Step 5: Upload that MP4 file to https://cloudconvert.com/mp4-to-gif and click convert

Step 6: Once it is converted, Download the converted file in GIF format.

 

Why is AI such a hot topic at the moment?

These days, artificial intelligence is a hot topic. There is a definite exponential tendency in web searches and mentions about artificial intelligence. AI is not something new.

In 1956, the phrase "artificial intelligence" was first coined.

ELIZA, the first programme for natural language processing, was developed in 1966.

Invention of the Sharkey robot, the first versatile mobile robot, took place in 1972.

Invention of the WABOT-1 humanoid robot occurred in 1973.

The first computer to defeat a global chess champion occurred in 1997 when IBM Deep Blue defeated Gary Kasparov.

Year 2002: The Roomba vacuum cleaner introduced the entry of AI into the home for the first time.

AI improved significantly after 2010 and is now utilized by numerous businesses.

 

Today, AI is pervasive. Because it can effectively address complicated problems in a variety of areas, including healthcare, entertainment, banking, and education, it is becoming increasingly important for the modern world. Our daily lives are becoming faster and more comfortable as a result of AI.

Even though the concept of AI has been around for a while, the development of cloud technology has made it simpler to put into practise. Companies like Google Cloud, Amazon Web Services, Microsoft Azure, and others began to step up their research efforts to improve their algorithms for machine learning, analytics, computer vision, and tools for natural language processing. These developments have increased interest in AI. Data storage and retrieval in the cloud are now affordable. In the cloud, we have access to computing power on demand. Cloud-based machine learning techniques make it relatively simple to create predictive models. The SaaS sector has an impact on the advancement of AI technologies. Companies that offer SaaS products need to focus more on AI to expand their feature set. Some of the benefits listed below can be taken into account for product development

 

Artificial intelligence is the ability of machines to learn from experience, adapt to new inputs, and carry out jobs that humans carry out. Artificial intelligence is formed up of the phrases "artificial" and "intelligence," where "artificial" refers to something that is "man-made" and "intelligent" refers to something that has "thinking power."

The word "AI" is used to refer to all machine intelligence. We use a variety of various technologies to provide machines intelligence on par with human levels in the senses, comprehend, plan, act, and learn. Machine learning, natural language processing, computer vision, and other technologies are included in the landscape of AI in general.

 

Machine learning: Machine learning is one of the core components of AI. This can be broadly defined as a machine's ability to replicate intelligent human behavior's. To create AI behavior's, many machine learning algorithms are used. Deep learning is a subset of machine learning, which is a neural network's attempt to simulate human brain behaviour.

Natural language processing (NLP): Natural language processing (NLP) is part of artificial intelligence (AI) that enables computers to understand, produce, and manipulate human language.It makes it possible for computers and people to interact.

Computer vision: Computer vision enables machines to see, understand, and respond to their surroundings. In order to comprehend image content (graphs, tables, PDF files, and videos), this uses deep learning and pattern detection.

Speech : A variety of speech-to-text, text-to-speech, speech translation, and other conversions are done using this technique. This will make use of natural language processing techniques to allow for natural conversation with machines.

Robotic Process Automation: Automating repetitive, rule-based operations like typing, form-filling, invoice processing, etc. would be made easier with the help of this process automation. This will be accomplished via optical character recognition, machine learning, and natural language processing.

Smart Analytics: Smart analytics refers to the automated data analysis and insight discovery process that uses machine learning and artificial intelligence. Fraud detection, risk assessment and price optimisation use smart analytics.

 

 

AI systems are designed with the goal of reducing human mistake and working independently to minimize human effort. This can be done by analyzing human behavior and using the findings to create intelligent systems. For instance, they act, learn, and make decisions in specific circumstances. observing people as they complete straightforward tasks and applying the solutions to create intelligent systems.

Since AI is so popular many industries use it. AI technology will become a concern if it is not used appropriately. There are challenges to be overcome with AI, just like with any other technology.

Required high end computers: The hardware and software needed for AI are quite expensive since they need a lot of maintenance to keep up with modern demands.

Can't think out of the box: Despite the fact that artificial intelligence is enabling us to create smarter machines, these computers still cannot perform tasks that are outside their training or programming.

No feelings and emotions: Even while AI machines have the potential to function exceptionally well, they are unable to develop any sort of emotional connection with people since they lack feelings. If necessary precautions are not taken, this could occasionally be dangerous to users.

Increased dependency on machines: People are becoming increasingly dependent on technology as a result of its advancement, which is also causing them to become less mentally capable.

No Original Creativity: Because humans are so imaginative and creative, AI computers cannot match this level of human intelligence and cannot be inventive or creative.

Enterprises are increasingly depending on artificial intelligence to make important choices as it establishes deeper roots in every sphere of business. Artificial intelligence has grown everywhere, used for everything from harnessing AI-based innovation to improving customer experience and optimising profit. This transition to artificial intelligence has been made possible by the ease that small and medium-sized businesses are now able to utilise AI, ML, deep learning, and neural networks.

The coming years may also see a collaborative link between humans and machines, which will strengthen cognitive skills and talents and increase overall productivity, in contrast to prevalent misconceptions that AI will replace humans across job roles.

Why do DDoS attacks happen?

 Like just about every company, Our Company has experienced an attempted DDoS (distributed denial of service) attack on our product surface area over the past couple of years.

In the case of our company, it had no significant effect because of the strong security measures built into our system. As part of a standard application security examination, we detected this attack and “stopped” those requests at an early stage. I, as CTO, then informed the Exec Team of the incident, stating that we had received a high-level DDoS attack. It appeared that the perpetrator was from Russia (see below) and was attempting to attack our application via a German VPN, which we immediately blocked.

Too many companies try to hide or understate the severity of attempts to breach our cyber security defences but I wanted to write this post because, by sharing information on real-life examples, we can help others ensure their cyber defences are as robust as possible

Some of the questions for me were:

Why try to attack our application?What benefit is there to the attacker from attacking us?

Why did the hackers choose Our Company ?

I believe these are questions that should be asked, not just for us, but for most companies.

Initially, I had no responses to the those questions. I started investigating and believe that the following could be some of the causes:

1. Activism through hacking

2. Political motivation

3. Retaliation

4. Negative brand image

5. For pleasure or learning

In our situation, I believe it was purely for pleasure, and the popularity of our product may be one reason for the attention..

The following are the various types of DDoS assaults.

1. Application Layer Attack/Layer 7 Attack: The hacker utilises several bots or services to submit a http or https request to the application frequently. The most frequent type of assault is an HTTP “flood attack”, in which the attacker uses a bot to send HTTP GET or POST requests to the server from a different IP address. This attack is tough to counter since the application attacker changes his identity and IP address.

2. Protocol attack / Layer 3 or Layer 4 attack: Protocol-based attacks are primarily concerned with exploiting a flaw in the OSI Layer 3 or Layer 4 layers. TCP Syn Flood is the most popular protocol-based DDoS assault, in which a series of TCP SYN queries directed at a target can overwhelm and render it unavailable.

3. Volumetric Attack: These types of attacks try to cause congestion by absorbing all available bandwidth between the target and the entire Internet. Large amounts of data are transmitted to a destination via amplification or another method of creating massive traffic, such as botnet requests.

In our scenario, we were targeted at the application layer.

To prevent these type of attacks, My Digital have developed numerous preventative approaches. The following are some of the ways for preventing DDoS attacks:

1. Create an effective monitoring system Continuous monitoring is the method in which an organisation continuously monitors its applications, IT systems, and networks in order to detect security threats, performance difficulties, or non-compliance concerns in an automated manner. The goal is to detect potential problems and threats in real time and solve them as soon as possible.

2. Identify problems early in the development process Follow the OWASP TOP 10 best practices when writing code and perform static and dynamic code analysis to detect any early vulnerabilities. To secure applications, employ open-source code vulnerability tools to detect any open-source library vulnerabilities.

3. Create a strong internal and external security network. Avoid exposing unnecessary ports and IP addresses. To prevent malicious activities, use a good network firewall, intrusion detection tools, and endpoint security. Use a web application firewall at the application level.

4. Use your cloud providers best practices All cloud providers offer best practices and tools to safeguard the environment and applications. To avoid an attack, follow their best practices.

Build redundancy and practical back up procedures on top of all of this to eliminate single points of failure

Deploying Laravel Code into AWS Lambda

 

AWS Lambda does not directly support the PHP runtime. When creating an AWS Lambda function using PHP code, we must use containerization or the Bref package. In this article, I'll show you how I used the bref package to deploy Laravel API services to AWS Lambda function.

We must first install the serverless framework. The serverless framework will aid in the development and deployment of code to AWS Lambda. This framework is a Node.js-based free and open-source web framework. The Serverless Framework is a command-line tool that deploys both your code and the cloud infrastructure required to create a plethora of serverless application use cases using simple and understandable YAML syntax.

Step 1: npm install -g serverless

If you have a Laravel project, please get into the root directly, or else create a new project using the following command:

Step 2: composers create-project laravel/laravel example-app

In the root of the Laravel project. Install the Laravel packages using the following command:

Step 3

composer require bref/bref bref/laravel-bridge --with-all-dependencies

If you get an error message about dependencies, use the following command:

composer require bref/bref bref/laravel-bridge --update-with-dependencies

 

Now you have to create a serverless.yaml file. To generate a YAML file, use the following command:

Step 4

php artisan vendor:publish --tag=serverless-config

After this command, you can see a serverless.yaml file.

As follows

service: <<Name of the service you want>>

provider:

    name: aws

    # The AWS region in which to deploy (us-east-1 is the default)

    region: eu-west-1

    # Environment variables

    environment:

        APP_ENV: local # Or use ${sls:stage} if you want the environment to match the stage

package:

    # Files and directories to exclude from deployment

    patterns:

        - '!node_modules/**'

        - '!public/storage'

        - '!resources/assets/**'

        - '!storage/**'

        - '!tests/**'

 

functions:

    # This function runs the Laravel website/API

    web:

        handler: public/index.php

        runtime: php-81-fpm

        timeout: 28 # in seconds (API Gateway has a timeout of 29 seconds)

        events:

            - httpApi: '*'

 

    # This function lets us run artisan commands in Lambda

    artisan:

        handler: artisan

        runtime: php-81-console

        timeout: 720 # in seconds

        # Uncomment to also run the scheduler every minute

        #events:

        #    - schedule:

        #          rate: rate(1 minute)

        #          input: '"schedule:run"'

 

plugins:

    # We need to include the Bref plugin

    - ./vendor/bref/bref

 

The final step is to deploy this into lambda. To deploy Lambda code, you must first have an AWS access key and a secret key with appropriate permissions. To save that configuration in your local machine, use the following command.Step4

Step 5

serverless config credentials --provider aws --key <key> --secret <secret>

Finally, run the following command to deploy

Step 6

Serverless deploy

Open source libraries or programming languages: Are they vulnerable?

 

As an architect, when I recommend open source, the team expresses many concerns about open-source security. If the source code is open, does it become vulnerable? I say no. Even closed source code is vulnerable and subject to attack, so both closed source code and open source code are equally vulnerable if we do not pay attention to security measures.

Some people will argue that closed source is more secure because the source code is not publicly available and it is harder for attackers to crack the code. Source code is needed to develop a new feature, attackers will not develop any new features to attack. The attacker's goal is to discover a flaw to exploit.

In general, attackers use a variety of tools to identify security flaws in a system, regardless of whether it is closed or open source. They do not require the source code in order to crack. 

Generally, open source has a lot of advantages in terms of getting security fixes very quickly compared to closed source. The community maintains open source, which is mostly active in looking for security flaws and providing fixes as soon as possible. Closed source means we need to wait for the vendor to release a fix.

Some argue that as long as the source code is available, Trojan viruses could be introduced. It is all dependent on which open source software you are using. Mostly, the source code community will do the code review before it goes to release, so it is not easy to introduce a Trojan virus.

Before using any open-source technology, find out the answers to the following questions:

• The open-source community is active.
• One person or a group of people maintains open source software.
• how frequently codes are updated and releases are made available.

On top of it, use a proper static code analysis tool at the time of development and use open-source security vulnerability management tools to identify open-source vulnerabilities.

My final piece of advice is to not be constrained when selecting any technology, tool, library, or framework; instead, choose what is best suited for your team and match it with the business use case. Security should be part of your process and day-to-day activities, so just don't be strict only with code. Some people think once they have selected a framework for development, it will automatically take care of security, This is not correct.

PHP Updates: Why We Need to Live With the Latest Version

 

This article was inspired by the shocking results of W3Tech's survey report. According to this report, 77.7% of websites use PHP, so the good news is that PHP is still a very popular language for website backend code.

When we look at the php version used by websites, the statistics are shocking, with approximately 90% of sites using outdated php versions. Any programming language is not vulnerable by default if it receives frequent updates; otherwise, it is vulnerable.

The PHP version and support cycle as of Jan. 31, 2023 are shown in the table below from php.net. 8.0, 8.1, and 8.2 are supported versions.

 

 

What will you miss if you do not update?

1. Security update: If you are not using a supported version, you will not receive security updates for known vulnerabilities; therefore, it is critical to keep your application up-to-date in order to secure it. Known vulnerabilities are available in the CVE details.  The OWASPTop 10 Vulnerable and Outdated Components this article covers the importance of software updates.
2. Performance: Look at the PHP version performance benchmarks to see what you are missing by not updating.
3. New features Look at php.net site to see what new feature is missing because of the lack of updating.